Wednesday, March 10, 2010

The Unified Performance, Risk, and Compliance Process Model

Recently, Nenshad Bardoliwalla wrote a nice series of 4 posts, entitled The Unified Performance, Risk, and Compliance Process Model, published in his blog and also in the Enterprise Irregulars website. The series of posts were excerpted from his excellent book Driven to Perform: Risk-Aware Performance Management From Strategy Through Execution, written with Stephanie Buscemi and Denise Broady, where they describe how they unified performance, risk, and compliance into a coherent strategic management process framework.

He wrote one post for each phase of the classic performance management lifecycle: Part I - Strategize and Prioritize, Part II - Plan and Execute, Part III - Monitor and Analyze, and Part IV - Model and Optimize. The posts are well detailed and illustrated graphically, and provide prescriptive guidance in how to put all the pieces together in their model. Below is a summary of his posts:

Part I - Strategize and Prioritize:

Understand the Corporate and Departmental Contexts

Review the corporate strategic goals, strategic plans, initiatives, and metrics. Contextualize them to the implications they have for the departments and use this context to drive the PM lifecycle.

Develop and Set the Strategy

First, review the environment. To get a holistic picture of risk, understand where you currently stand and assess the internal environment and properly define and prioritize the most important risks with the greatest impact and likelihood of occurrence (risk type, impact, probability, timeframe, and mitigation strategy/costs).

Next, get a holistic picture of the full set of compliance initiatives you will intersect with, such as SOX, OSHA, data privacy laws, and global trade regulations.

The next step is to set the mission, values, and vision:
- Define mission (the fundamental purpose of the entity, especially what it provides to customers and clients).
- Define core values (the attitude, behavior, and character of the organization).
- Define the vision. A vision is a concise statement that defines the 3- to 5-year goals of the organization.

Next, set the goals. Define a strategy and set business objectives using risks as a key variable for deciding which strategies to pursue.

Assign KPIs to Goals and Set the Right Targets

Define KPIs and targets that translate strategy into performance expectations.

Perform Additional Risk Analysis and Set KRIs

Now look again at risks to see what could keep you from meeting your goals.

Set a response strategy for the risk (treat, tolerate, transfer, or terminate).

Define KRIs and risk thresholds and tolerances for those risks.

Perform Additional Compliance Analysis

Define your compliance requirements. Define policies, procedures, and controls that must be in place to ensure that you can meet the compliance requirements.

Work on the Strategic Action Plan and Initiatives

The strategic initiatives help define the exact methodology (the roadmap) for achieving the various goals. The results of this planning may require revisiting the strategy.

First, develop the roadmap (sequence of actions) for achieving performance, risk, and compliance expectations.

Next, define critical success and failure factors for all initiatives. Every project or investment must, in addition to defining the critical factors for its success, also define its critical “failure factors,” that is, those circumstances under which the project or investment is no longer likely to be successful.

Finally, develop different risk-adjusted scenarios with contingency plans should risks to achieving plans materialize.

Cascade Accountability

Cascade accountability of KPIs, KRIs, and controls throughout the organization and ultimately into individual MBOs for alignment.

Part II - Plan and Execute

The planning and execution gets into the details of planning the strategic initiatives both from a financial and operational standpoint.

Align Corporate Budget to Departmental Budget and Link Corporate and Departmental Initiatives

The budgeting process takes each of the outcomes or actions from the planning process and aligns revenues and expenses against them. Decisions regarding investment priorities and resource allocations define how the company will operate and set the bar for measuring performance.

To create risk-adjusted budgets, incorporate the range of possible revenues and costs of each action into the budget at the appropriate organizational level. Align risk adjusted budgets with contingency plans should risk events occur, or if risks exceed the acceptable threshold to achieving budgets.

Align Departmental Budget to Departmental Operational Plans

The operational planning process links the financial budget to specific operational factors. Plan out each step of each initiative. Consider what risks you have in each area of the operational plan. If the risk materializes, you would want a contingency plan in place that showed the performance and risk implications if we moved the budget from one initiative to another.

Forecast Performance and Risks

Create rolling, risk-adjusted forecasts of the budget (revenues and costs) and operational plan (including number, capacity, and cost of resources necessary to achieve plan) so that you can see trends over a rolling time horizon for those risks whose probability, consequence, and resiliency over time.

Execute Plans

This step is essential but obvious; put the plan into action. Be prepared to execute on the type of risk associated with the plan once the threshold or tolerance is exceeded.

Part III - Monitor and Analyze

In the monitor and analyze phase of the risk-adjusted PM lifecycle, you monitor to understand what is happening in the business, analyze to understand why it is happening, and for those things not on track, adjust to improve the situation relative to your goals.


The presentation of information to be monitored is crucial in order to facilitate decision-making. Risk monitoring is aligned directly to KRIs across the source systems that provide transactional data for the KRI. Dashboards linked with risks should help identify and manage key risks versus overall risks that are being prioritized based on exposure through quantitative/qualitative assessment

Monitor performance. You can evaluate the KPIs you’ve set to identify progress made toward achievement of objectives and trends.
Monitor initiatives. You can also evaluate which initiatives are failing or behind schedule.
Monitor risk. You can then evaluate important key risk indicators to identify:
. What and where are our top risks?
. What are the changes to the risk levels for key activities and opportunities?
. Are risks being assessed in accordance with company policy or according to industry best practices?
. Are our mitigation strategies effective in reducing the likelihood or impact of a risk?
Monitor internal controls. Report key control deficiencies, approvals, verifications, and reconciliations to mitigate risk.
Monitor any incidents and losses. What incidents or losses have occurred? If risks or losses have occurred, or external events are affecting the department, document this information, even if you haven’t been tracking it in the system yet.


Analysis is a key step in which you not only look at where you are, but what is happening (or what has happened) and why.

Analyze performance. For KPIs, perform analysis to understand why they are increasing or decreasing.
Analyze initiatives. To evaluate initiatives, perform analysis on the initiative to understand why it is succeeding or failing.
Analyze risk. For KRIs, perform analysis to understand why they are increasing or decreasing.
Analyze controls. When analyzing internal controls, you perform analysis on their effectiveness.
Analyze root causes of incidents or losses. If incidents or losses occur, perform analysis on the root causes and trends.


After monitoring to know what has happened and analyzing to understand why it happened, for those things not going according to plan, it is time to set the business back on course by taking what you’ve learned and using that information to adjust the settings across the enterprise.

Adjust performance. If you see KPIs trending in the wrong direction, once you have analyzed the root causes, it should be clear what actions to take to set things back on course.
Adjust initiatives. For initiatives that are not going as planned, it becomes essential to rapidly take remedial action or cancel them.
Adjust risk. For KRIs trending in the wrong direction, once you have analyzed the root causes, it should be clear what actions to take to set things back on course, often by putting the appropriate mitigating controls in place to stabilize them.
Adjust controls. For controls violations, adjustment takes the form of remediation and certification.
Adjust after incidents or losses. For incidents and losses, the correct adjustments typically involve reexamining if we are tracking the right risks and have put the appropriate controls in place to mitigate them.

Part IV - Model and Optimize

In the model and optimize, we strive to assess the drivers of performance and risk at a deep level to understand the various alternatives we can pursue with the goal of making the best decision given a certain set of constraints.


Modeling falls into three categories.

Revenue, Cost, and Profitability Modeling. Modeling the costs, revenue, and profitability implications of performance management, risk management, and compliance management activities and their drivers can be achieved at a very detailed level using activity-based costing and associated methodologies.

Scenario Modeling. Scenario modeling can be applied to financial and operational modeling and focuses on creating different business scenarios.

Simulation Modeling. More advanced modeling including Monte Carlo simulation supports creating a broad range of scenarios based on multiple iterations of input assumptions and combinations.


The goal at this phase of the PM lifecycle is to determine the optimal way to achieve objectives by taking into account the entire context of the problem, including all relevant constraints and assessments (costs, benefits, risk, labor and time).

Wrapping Up

From a process unification perspective, risk and compliance management operating in tandem with performance management will become differentiating capabilities in the management of an organization.

From a technology unification perspective, business intelligence can be conceptualized as the base of the pyramid upon which performance management and governance, risk, and compliance are built, since it provides the basic technology capabilities and infrastructure that serve as a foundation for the higher layers of the pyramid. Connecting governance, risk and compliance capabilities with performance management capabilities through a common business intelligence platform establishes a single, unified, cleansed repository of information and common semantics on top of that information, which is critical to enabling risk-aware performance management business processes. Without this common foundation, it is impossible to obtain any synergies that extend beyond deploying any one of these capabilities in isolation.

No comments: